Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 15:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe
-
Size
128KB
-
MD5
2470014edec5466e8cd1e1824a8cdab0
-
SHA1
45cb215b83430a3ccb5295cd70d1eec2cdcd8f4d
-
SHA256
3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379e
-
SHA512
2687a3cca83159bdac3a3c575a2ce1c345ece2216f4c84ffbf7637fee3ea18eb52a11e3486bf839524083b9efc5575b3b76107c1de97bd789815d2c82de937e8
-
SSDEEP
3072:3PgzNl+ULazKsCaeAK7DxSvITW/cbFGS9n:3PgzNl+U+zKsCxAuhCw9n
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icdcllpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlhkgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aclpaali.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npbklabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Alageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Djjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikqnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Momfan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modlbmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbklabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnqlmq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbclgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcjog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppefg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Njgpij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkifaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fpdkpiik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phklaacg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfocnjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiioin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Picojhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dncibp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igceej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnagmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnimiblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elacliin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gconbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kcdlhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odkgec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpaali.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjcjog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnchhllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpggei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iamfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiqpigl.exe -
Executes dropped EXE 64 IoCs
pid Process 2832 Cocphf32.exe 3008 Cgoelh32.exe 2580 Cnimiblo.exe 2024 Cnimiblo.exe 2724 Cbdiia32.exe 1316 Cebeem32.exe 2988 Cmpgpond.exe 2296 Ccjoli32.exe 108 Dfkhndca.exe 980 Dcohghbk.exe 2240 Dilapopb.exe 1228 Dbdehdfc.exe 112 Dinneo32.exe 2068 Dhckfkbh.exe 2524 Domccejd.exe 1592 Elacliin.exe 2332 Ebklic32.exe 2884 Edlhqlfi.exe 3044 Eaphjp32.exe 1088 Emgioakg.exe 2008 Ehlmljkm.exe 2140 Ephbal32.exe 2368 Edcnakpa.exe 2436 Fdekgjno.exe 1796 Fgdgcfmb.exe 2748 Fplllkdc.exe 1588 Fiepea32.exe 2744 Fcmdnfad.exe 2740 Figmjq32.exe 2920 Fennoa32.exe 2272 Flhflleb.exe 2780 Ggagmjbq.exe 380 Goiongbc.exe 2592 Gpjkeoha.exe 2292 Gaihob32.exe 1708 Gnphdceh.exe 2880 Gqodqodl.exe 484 Gcmamj32.exe 788 Gmeeepjp.exe 2152 Gconbj32.exe 2268 Gmhbkohm.exe 1956 Hinbppna.exe 1036 Hkmollme.exe 2556 Hfbcidmk.exe 1968 Hkolakkb.exe 1728 Hbidne32.exe 3056 Hiclkp32.exe 1480 Hnpdcf32.exe 2216 Hqnapb32.exe 2400 Hieiqo32.exe 2760 Hjgehgnh.exe 2972 Hbnmienj.exe 2160 Heliepmn.exe 2612 Hgkfal32.exe 2976 Ijibng32.exe 2480 Imgnjb32.exe 316 Icafgmbe.exe 688 Igmbgk32.exe 2016 Ingkdeak.exe 3036 Icdcllpc.exe 1992 Igoomk32.exe 1856 Imlhebfc.exe 2284 Ipjdameg.exe 1180 Icfpbl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2712 3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe 2712 3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe 2832 Cocphf32.exe 2832 Cocphf32.exe 3008 Cgoelh32.exe 3008 Cgoelh32.exe 2580 Cnimiblo.exe 2580 Cnimiblo.exe 2024 Cnimiblo.exe 2024 Cnimiblo.exe 2724 Cbdiia32.exe 2724 Cbdiia32.exe 1316 Cebeem32.exe 1316 Cebeem32.exe 2988 Cmpgpond.exe 2988 Cmpgpond.exe 2296 Ccjoli32.exe 2296 Ccjoli32.exe 108 Dfkhndca.exe 108 Dfkhndca.exe 980 Dcohghbk.exe 980 Dcohghbk.exe 2240 Dilapopb.exe 2240 Dilapopb.exe 1228 Dbdehdfc.exe 1228 Dbdehdfc.exe 112 Dinneo32.exe 112 Dinneo32.exe 2068 Dhckfkbh.exe 2068 Dhckfkbh.exe 2524 Domccejd.exe 2524 Domccejd.exe 1592 Elacliin.exe 1592 Elacliin.exe 2332 Ebklic32.exe 2332 Ebklic32.exe 2884 Edlhqlfi.exe 2884 Edlhqlfi.exe 3044 Eaphjp32.exe 3044 Eaphjp32.exe 1088 Emgioakg.exe 1088 Emgioakg.exe 2008 Ehlmljkm.exe 2008 Ehlmljkm.exe 2140 Ephbal32.exe 2140 Ephbal32.exe 2368 Edcnakpa.exe 2368 Edcnakpa.exe 2436 Fdekgjno.exe 2436 Fdekgjno.exe 1796 Fgdgcfmb.exe 1796 Fgdgcfmb.exe 2748 Fplllkdc.exe 2748 Fplllkdc.exe 1588 Fiepea32.exe 1588 Fiepea32.exe 2744 Fcmdnfad.exe 2744 Fcmdnfad.exe 2740 Figmjq32.exe 2740 Figmjq32.exe 2920 Fennoa32.exe 2920 Fennoa32.exe 2272 Flhflleb.exe 2272 Flhflleb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hinbppna.exe Gmhbkohm.exe File opened for modification C:\Windows\SysWOW64\Kcginj32.exe Kkpqlm32.exe File created C:\Windows\SysWOW64\Ejilio32.dll Oalkih32.exe File created C:\Windows\SysWOW64\Kneoni32.dll Djjjga32.exe File created C:\Windows\SysWOW64\Gconbj32.exe Gmeeepjp.exe File created C:\Windows\SysWOW64\Hkmollme.exe Hinbppna.exe File created C:\Windows\SysWOW64\Ebnabb32.exe Eppefg32.exe File opened for modification C:\Windows\SysWOW64\Fdkmeiei.exe Famaimfe.exe File created C:\Windows\SysWOW64\Caejbmia.dll Iogpag32.exe File created C:\Windows\SysWOW64\Keppajog.dll Iamfdo32.exe File opened for modification C:\Windows\SysWOW64\Nbeedh32.exe Nnjicjbf.exe File opened for modification C:\Windows\SysWOW64\Famaimfe.exe Fggmldfp.exe File created C:\Windows\SysWOW64\Gmeeepjp.exe Gcmamj32.exe File created C:\Windows\SysWOW64\Hiclkp32.exe Hbidne32.exe File created C:\Windows\SysWOW64\Icfpbl32.exe Ipjdameg.exe File created C:\Windows\SysWOW64\Dokmejcg.dll Lgkkmm32.exe File created C:\Windows\SysWOW64\Qkddnqcm.dll Olpbaa32.exe File created C:\Windows\SysWOW64\Fmohco32.exe Folhgbid.exe File opened for modification C:\Windows\SysWOW64\Eogolc32.exe Elibpg32.exe File created C:\Windows\SysWOW64\Pbonaedo.dll Hmpaom32.exe File opened for modification C:\Windows\SysWOW64\Jnmiag32.exe Jlnmel32.exe File created C:\Windows\SysWOW64\Fplllkdc.exe Fgdgcfmb.exe File created C:\Windows\SysWOW64\Dmidng32.dll Ppmgfb32.exe File created C:\Windows\SysWOW64\Ccmkid32.dll Jabponba.exe File created C:\Windows\SysWOW64\Nlfnje32.dll Gqodqodl.exe File created C:\Windows\SysWOW64\Pdioqoen.dll Oimmjffj.exe File created C:\Windows\SysWOW64\Odecjfnl.dll Alageg32.exe File opened for modification C:\Windows\SysWOW64\Afliclij.exe Apppkekc.exe File created C:\Windows\SysWOW64\Mlbblc32.dll Ipjdameg.exe File created C:\Windows\SysWOW64\Bgdkkc32.exe Bfcodkcb.exe File created C:\Windows\SysWOW64\Deondj32.exe Dbabho32.exe File created C:\Windows\SysWOW64\Fdkmeiei.exe Famaimfe.exe File created C:\Windows\SysWOW64\Iocgfhhc.exe Hiioin32.exe File opened for modification C:\Windows\SysWOW64\Jplfkjbd.exe Jibnop32.exe File created C:\Windows\SysWOW64\Kqmidcdi.dll Kpdcfoph.exe File created C:\Windows\SysWOW64\Njgpij32.exe Npbklabl.exe File created C:\Windows\SysWOW64\Pfnmmn32.exe Phklaacg.exe File created C:\Windows\SysWOW64\Aclpaali.exe Alageg32.exe File opened for modification C:\Windows\SysWOW64\Ifdlng32.exe Icfpbl32.exe File opened for modification C:\Windows\SysWOW64\Pioeoi32.exe Pbemboof.exe File created C:\Windows\SysWOW64\Qlfdac32.exe Qdompf32.exe File created C:\Windows\SysWOW64\Njfaognh.dll Fggmldfp.exe File created C:\Windows\SysWOW64\Gqodqodl.exe Gnphdceh.exe File opened for modification C:\Windows\SysWOW64\Ndcapd32.exe Nbeedh32.exe File created C:\Windows\SysWOW64\Aihgmjad.dll Aognbnkm.exe File created C:\Windows\SysWOW64\Apnmpn32.dll Efedga32.exe File created C:\Windows\SysWOW64\Oqfopomn.dll Honnki32.exe File created C:\Windows\SysWOW64\Ghcmae32.dll Hfhfhbce.exe File created C:\Windows\SysWOW64\Ifkmqd32.dll Jefbnacn.exe File created C:\Windows\SysWOW64\Hjmlhbbg.exe Hgnokgcc.exe File opened for modification C:\Windows\SysWOW64\Lbjofi32.exe Ldgnklmi.exe File created C:\Windows\SysWOW64\Ljpfmo32.dll Ifgicg32.exe File opened for modification C:\Windows\SysWOW64\Lncfcgeb.exe Lkdjglfo.exe File created C:\Windows\SysWOW64\Kioljfll.dll Npbklabl.exe File opened for modification C:\Windows\SysWOW64\Ppmgfb32.exe Picojhcm.exe File opened for modification C:\Windows\SysWOW64\Popgboae.exe Ppmgfb32.exe File created C:\Windows\SysWOW64\Fennoa32.exe Figmjq32.exe File created C:\Windows\SysWOW64\Blkman32.dll Igoomk32.exe File created C:\Windows\SysWOW64\Iokofcne.dll Kenoifpb.exe File created C:\Windows\SysWOW64\Mphiqbon.exe Lnjldf32.exe File created C:\Windows\SysWOW64\Pdnfmn32.dll Kapohbfp.exe File created C:\Windows\SysWOW64\Dcohghbk.exe Dfkhndca.exe File opened for modification C:\Windows\SysWOW64\Npdhaq32.exe Njgpij32.exe File created C:\Windows\SysWOW64\Hmjofl32.dll Odkgec32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4444 4408 WerFault.exe 389 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnchhllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafoikjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhdgdmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenoifpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbmbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljldnhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peefcjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnabb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmmlgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiclkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqojfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkefbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlhqlfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joidhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiioin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icafgmbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcblan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boemlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccglehn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbemboof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpqfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbbgqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdmfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqodqodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijibng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknpadcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfaeme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elacliin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbcidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncnmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjbkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdompf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aognbnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmdbnnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heliepmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmpolof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqhpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajmjcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhbkohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflgih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklaacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfafcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmgfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcohghbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnphdceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piabdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdekgjno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgingm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbdabog.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Olkifaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbpca32.dll" Iocgfhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocndipc.dll" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjhqh32.dll" Gconbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mphiqbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfjecle.dll" Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlcjk32.dll" Ingkdeak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dkdmfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcginj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphaobfe.dll" Onqkclni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Npdhaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fdkmeiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ieponofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fmdbnnlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnmpn32.dll" Efedga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jpgmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll" Cnimiblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dinneo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Icfpbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Laqojfli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Folhgbid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hcepqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Igceej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dilapopb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdmkoepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Npbklabl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncadjah.dll" Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kjhcag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ebklic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkkmgncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iocgfhhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnfak32.dll" Lpabpcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgngbmjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonnhc32.dll" Mflgih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ciagojda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fglfgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijpfppe.dll" Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbdehdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Goiongbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jaecod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ikqnlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfaognh.dll" Fggmldfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjqff32.dll" Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnmkplj.dll" Gmeeepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhgkj32.dll" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgikm32.dll" Eogolc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2712 wrote to memory of 2832 2712 3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe 31 PID 2712 wrote to memory of 2832 2712 3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe 31 PID 2712 wrote to memory of 2832 2712 3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe 31 PID 2712 wrote to memory of 2832 2712 3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe 31 PID 2832 wrote to memory of 3008 2832 Cocphf32.exe 32 PID 2832 wrote to memory of 3008 2832 Cocphf32.exe 32 PID 2832 wrote to memory of 3008 2832 Cocphf32.exe 32 PID 2832 wrote to memory of 3008 2832 Cocphf32.exe 32 PID 3008 wrote to memory of 2580 3008 Cgoelh32.exe 33 PID 3008 wrote to memory of 2580 3008 Cgoelh32.exe 33 PID 3008 wrote to memory of 2580 3008 Cgoelh32.exe 33 PID 3008 wrote to memory of 2580 3008 Cgoelh32.exe 33 PID 2580 wrote to memory of 2024 2580 Cnimiblo.exe 34 PID 2580 wrote to memory of 2024 2580 Cnimiblo.exe 34 PID 2580 wrote to memory of 2024 2580 Cnimiblo.exe 34 PID 2580 wrote to memory of 2024 2580 Cnimiblo.exe 34 PID 2024 wrote to memory of 2724 2024 Cnimiblo.exe 35 PID 2024 wrote to memory of 2724 2024 Cnimiblo.exe 35 PID 2024 wrote to memory of 2724 2024 Cnimiblo.exe 35 PID 2024 wrote to memory of 2724 2024 Cnimiblo.exe 35 PID 2724 wrote to memory of 1316 2724 Cbdiia32.exe 36 PID 2724 wrote to memory of 1316 2724 Cbdiia32.exe 36 PID 2724 wrote to memory of 1316 2724 Cbdiia32.exe 36 PID 2724 wrote to memory of 1316 2724 Cbdiia32.exe 36 PID 1316 wrote to memory of 2988 1316 Cebeem32.exe 37 PID 1316 wrote to memory of 2988 1316 Cebeem32.exe 37 PID 1316 wrote to memory of 2988 1316 Cebeem32.exe 37 PID 1316 wrote to memory of 2988 1316 Cebeem32.exe 37 PID 2988 wrote to memory of 2296 2988 Cmpgpond.exe 38 PID 2988 wrote to memory of 2296 2988 Cmpgpond.exe 38 PID 2988 wrote to memory of 2296 2988 Cmpgpond.exe 38 PID 2988 wrote to memory of 2296 2988 Cmpgpond.exe 38 PID 2296 wrote to memory of 108 2296 Ccjoli32.exe 39 PID 2296 wrote to memory of 108 2296 Ccjoli32.exe 39 PID 2296 wrote to memory of 108 2296 Ccjoli32.exe 39 PID 2296 wrote to memory of 108 2296 Ccjoli32.exe 39 PID 108 wrote to memory of 980 108 Dfkhndca.exe 40 PID 108 wrote to memory of 980 108 Dfkhndca.exe 40 PID 108 wrote to memory of 980 108 Dfkhndca.exe 40 PID 108 wrote to memory of 980 108 Dfkhndca.exe 40 PID 980 wrote to memory of 2240 980 Dcohghbk.exe 41 PID 980 wrote to memory of 2240 980 Dcohghbk.exe 41 PID 980 wrote to memory of 2240 980 Dcohghbk.exe 41 PID 980 wrote to memory of 2240 980 Dcohghbk.exe 41 PID 2240 wrote to memory of 1228 2240 Dilapopb.exe 42 PID 2240 wrote to memory of 1228 2240 Dilapopb.exe 42 PID 2240 wrote to memory of 1228 2240 Dilapopb.exe 42 PID 2240 wrote to memory of 1228 2240 Dilapopb.exe 42 PID 1228 wrote to memory of 112 1228 Dbdehdfc.exe 43 PID 1228 wrote to memory of 112 1228 Dbdehdfc.exe 43 PID 1228 wrote to memory of 112 1228 Dbdehdfc.exe 43 PID 1228 wrote to memory of 112 1228 Dbdehdfc.exe 43 PID 112 wrote to memory of 2068 112 Dinneo32.exe 44 PID 112 wrote to memory of 2068 112 Dinneo32.exe 44 PID 112 wrote to memory of 2068 112 Dinneo32.exe 44 PID 112 wrote to memory of 2068 112 Dinneo32.exe 44 PID 2068 wrote to memory of 2524 2068 Dhckfkbh.exe 45 PID 2068 wrote to memory of 2524 2068 Dhckfkbh.exe 45 PID 2068 wrote to memory of 2524 2068 Dhckfkbh.exe 45 PID 2068 wrote to memory of 2524 2068 Dhckfkbh.exe 45 PID 2524 wrote to memory of 1592 2524 Domccejd.exe 46 PID 2524 wrote to memory of 1592 2524 Domccejd.exe 46 PID 2524 wrote to memory of 1592 2524 Domccejd.exe 46 PID 2524 wrote to memory of 1592 2524 Domccejd.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe"C:\Users\Admin\AppData\Local\Temp\3727098ec5b283bf5054d1933065e8b32960874a4c7b41845ebb656b6c40379eN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Ccjoli32.exeC:\Windows\system32\Ccjoli32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Edlhqlfi.exeC:\Windows\system32\Edlhqlfi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Ehlmljkm.exeC:\Windows\system32\Ehlmljkm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:380 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe35⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe36⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:788 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe44⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe46⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe50⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe51⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe52⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe53⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Hgkfal32.exeC:\Windows\system32\Hgkfal32.exe55⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe57⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe63⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe66⤵PID:1636
-
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe67⤵PID:2560
-
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe68⤵
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe69⤵PID:1600
-
C:\Windows\SysWOW64\Ipomlm32.exeC:\Windows\system32\Ipomlm32.exe70⤵PID:2756
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe71⤵PID:2432
-
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe72⤵PID:2224
-
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe73⤵PID:2616
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe74⤵PID:2892
-
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe75⤵PID:1604
-
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1300 -
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe77⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe78⤵PID:2012
-
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe79⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe80⤵PID:2120
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe81⤵PID:2312
-
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1800 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe84⤵PID:692
-
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe86⤵PID:2896
-
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe87⤵PID:2640
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe89⤵PID:884
-
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe90⤵PID:2700
-
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe92⤵PID:1136
-
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe93⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1852 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2456 -
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe96⤵PID:1528
-
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe97⤵
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe98⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe99⤵PID:1324
-
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe100⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe102⤵PID:2632
-
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe104⤵
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe105⤵
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe106⤵PID:1768
-
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe107⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe108⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Lcblan32.exeC:\Windows\system32\Lcblan32.exe110⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe111⤵
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe112⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe113⤵PID:2752
-
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe114⤵PID:2956
-
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe115⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe116⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe117⤵PID:1696
-
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe118⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe119⤵PID:952
-
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe120⤵PID:1432
-
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-